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PATENT APPLICATION 

Authentication Engine Architecture and 

Method 

BACKGROUND OF THH DWENTTON 

The present invention relates generally to the field of cryptography, and more 
specifically to an architecture and method for cryptography acceleration. In particular, 
the invention is directed to a hardware implementation to increase the speed at which 
authentication procedures may be performed on data packets transmitted over a 
computer network. 

Many methods to perfonn cryptography are well known in the art and are 
discussed, for example, in Applied Ci^togranhv . Bruce Schneier, John Wiley & 
Sons, Inc. (1996, 2"" Edition), herein incorporated by reference. In order to improve 
the speed of cryptography processing, specialized cryptography accelerator chips have 
been developed. Cryptography accelerator chips may be included in routers or 
gateways, for example, in order to provide automatic IP packet encryption/decryption. 
By embedding cryptography functionality in network hardware, both system 
performance and data security are enhanced. 

Cryptography protocols typically incorporate both encryption/decryption and 
authentication functionalities. Encryption/decryption relates to enciphering and 
deciphering data, authentication is concerned with data integrity, including confirming 
the identity of the transmitting party and ensuring that a data packet has not been 
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tampesred with en route to tlie recipient. It is known that by incorporaung oorn 
encryption and authentication. fimctipn^#s ?iii^ai chip, over-all 

system performance can be enhanced. ? ■ 

' Ex^ies'of emotion/decryption 
5 and authentication functionalities include SSL (Netscape Communications 

Corporation), commonly ^5ed^^^# *® 
recently promulgated industry security standard known as "IPSec." These protocols 

and their associated algorithms a^e^^^ w^ ^ 
described in detail in National iMtitute of Standards and Technology O^ST), IETF 
10 ahd other iecifications, some of which are identified (for example, by IETF RFC*) 
below for convenience. These specifications are incorporated herein by reference for 
all purposes. 

SSL (v3) uses a variant of HMAC (RFC2104) for authentication. The 
undeflikg hl^ aigoritiii c^ be eittiCTjIipS (RFCm^^ In 
15 addition, the key graeration algoridmi in SS^ relies on a sequence of MQS and 
SHAl operations. SSL deploys algorithms such as RC4, DES, triple DBS for 
encryption/decryption operations. 

Th3 IP layer sTOurity standard protoojl, IPSec r(IlFC24Q6) specifies two 
standard algorithms, fpj performing aufepntication, operatiojns,, P^C^ 
20 (RFC2403) and HM.\C-SHAl-96 (RFC2404). These algorithms are based on the 
underlying MD5 and SHAl algorithms, respectively. The goal of tiie authentication 
computation is to generate a unique digital representation, called a digest, for the input 
data. 
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Both MD5 and SHAl specify that data is to be processed in d iz-oii diocks.- u 
the data in a packet to-be processed isnot of a^multipte o£;5l2.bits, padding is applied 
to round up the data length to a multiple of 512 bits. Thus, if a data packet that is 
received by a chip for an authentication is larger then 512 bits, the packet is broken 
5 into 512-bits data blocks for authentication processing. If the packet is not a multiple 
of 512 bits, the data left over followmg splitting of the packet into complete 512-bit 
blocks must be padded in order to reach the 512-bit block processing size. The same 
is true if a packet contains fewer then 512 bits of data. For reference, a typical 
Ethernet packet is up to 1,500 bytes. When such a packet gets spUt into 512-bit 

- ^ ." . * . , ' ■ ! . . ' t ' * t " * ; ■ • - - - + 

10 blocks, only the last block gets padded and so that overall a relatively small 
percentage of padding overhead is required. However for shorter packets, the padding 
overhead can be much higher. For example, if a packet has just over 512 bits it will 
need to be divided into two 512-bit blocks, the second of which is mostly padding so 
that padding Overhead approaches 50%^6f the process data." The authentication of 

15 such^^short dkta packets is particularly biirdbnsome and tinne consuming using the 
conventionally implemented MD5 and §kAl authentication algorithms. 

For each 512-bit data block, a set of operations including non-linear functions, 
shift functions and additions, called a "round," is applied to the block repeatedly. 
MD5 and SMAl specify 64 rounds and 80 rounds, respectively, based on different 
20 non-linear and shift functions, as well as different operating sequences. In every 
round, the operation starts with certain hash states (referred to as "context'*) held by 
hash state registers (in hardware) or vaiiables (in software), and ends with a new set of 
hash states (i.e., an initial "set" of hash states and an end set; a "set" may be of 4 or 5 
for the number of registers used by MD5 and SHAl, respectively). MD5 and SHAl 

3 
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each specify a set of constants as the initial hash states for the first d iz-ou oiock. ine 
following blocks use initial hash states resulting from additions of flie initial hash 
states and the ending hash states of the previous blocks. 

Typically, MD5 and SHAl rounds are translated into clock cycles in hardware 
5 implementations. The addition of the hash states, to the extent that they cannot be 
performed in parallel with other round operations, requires overhead clock cycles in 
the whole computation. The computation of the padded portion of the data is also 
generally considered performance overhead because it is not part of the true data. 
Accordingly, the performance of MD5 and SHAl degrade the most when the length of 
10 the padding is about the same as the length of the data (e.g., as described above, when 
a packet has just fewer than 512 bits of data and the padding logic requires an extra 
5 12-bit to be added for holding the pad values). 

Moreover, the HMAC-MD5-96 and HMAC-SHAl-96 algorithms used in 
IPSec expand MD5 and SHAl, respectively, by performing two loops of operations. 

15 The HMAC algorithm for either MD5 or SHAl (HMAC-x algorithm) is depicted in 
Fig. 1. The iimer hash (inner loop) and the outer hash (outer loop) use different initial 
hash states. The outer hash is used to compute a digest based on the result of the inner 
hash. Since the resuU of inner hash is 128 bits long for MD5 and 160 bits long for 
SHAl, the result must always be padded up to 512 bits and the outer hash only 

20 processes the one 512-bit block of data. HMAC-MD5-96 and HMAC-SHAl-96 

provide a higher level of security, however additional time is needed to perform the 

outer hash operation. This additional time becomes significant when the length of the 

data to be processed is short, in which case, the time required to perform the outer 

hash operation is comparable to the time required to perform the inner hash operation. 
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Authentication represents a significant proportion of ine ume requirea lo 
complete cryptography operations in ; the application of cryptography protocols 
incorporating both encryption/decryption and MD5 and/or SHAl authentication 
functionalities. In the case of IPSec, authentication is often the time limiting step, 
5 particularly for the processing or short packets, and thus creates a data processing 
bottleneck. Accordingly, techniques to accelerate authentication and relieve this 
bottleneck would be desirable. Fiuther, accelerated implementations of multi-round 
authentication algorithms would benefit any application of these authentication 
algorithms. 
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SUMMARY OF THE INVENTION , . 

In general, the present invention provides an architecture (hardware 
implementation) for an authentication engine to increase the speed at which multi- 
loop and/or multi-round authentication algorithms may be performed on data packets 

5 transmitted over a computer network. .As described in this application, the invention 
has particular application to the variants of the SHLAl and MD5 authentication 
algorithms specified by the IPSec cryptography standard. In accordance with the 
IPSec standard, the invention may be used in conjunction with data 
encryption/encryption architecture and protocols. However it is also suitable for use 

10 in conjunction with other non-IPSec cryptography algorithms, and for applications in 
which encryption/decryption is not conducted (in IPSec or not) and where it is piurely 
authentication that is accelerated. Among other advantages, an authentication engine 
in accordance with the present invention provides improved performance with regard 
to the processing of short data packets. 

15 Authentication engines in accordance with the present invention apply a 

variety of techniques that may include, in v^ous applications, collapsing two multi- 
round authentication algorithm (e.g,, SIL^l pr MD5 or variants) -processing rounds 
into one; reducing operational overhead, by scheduling the additions required by a 
multi-round authentication algorithm in such a manner as to reduce the overall critical 

20 timing path ("hiding the adds"); and, for a multi-loop (e.g., HMAC) variant of a multi- 
round authentication algorithm, pipelining the? inner and outer loops. In one particular 
example of applying the invention in an authentication engine using the HMAC- 
SHAl algorithm of the IPSec protocol, collapsing of the conventional 80 SHAl 

rounds into 40 roxmds, hiding the adds, and pipelining the inner and outer loops 

6 
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allows HMAC-SHAl to be conducted in approximately the same nme as convenuonai 
SHAl. 

In one aspect, the present iiiv^ntion pertains to an authentication engine 
architecture for an multi-loop, multi-roiihd authentication algorithm. The architecture 
5 includes a first instantiation of a multi-round authentication algorithm hksh round 
logic in an inner hash engine, and a second instantiation of a multi-round 
authentication algorithm hash round logic in an out» hash engine. A dual-frame 
payload data input buffer configured for loading one new data block while another 
data block one is being processed in the ihner hash engine, an initial hash state input 
10 buffer configuration for loading initial h^ stafei to the inner and outer hash engines 
for concurrent inner hash and outer hash operations, and a dual-ported ROM 
configured for concurrent constant lookups for both iimer and outer hash engines are 
also included; The multi-loop, multi-rotihd authentication algorithm may be HMAC- 
MD5 or HMAC-SHAl. 

15 v ^ In another aspect, the inveSSfidii' pertains" to an authentication engine 
architecture for a multi-round authentication algorithm. The architecture includes a 
hash . engine configured to implement hash round logic for a multi-round 
authentication algorithm. The hash round logic implementation included at least one 
addition module having a plurality of carry save adders for computation of partial 

20 products, and a carry look-ahead adder for computation and propagation of a final 
simi. The multi-round authentication algorithm may be MD5 or SHAl . 

In another aspect, the invention pertains to an authentication engine 
architecture for an SHAl authentication algorithm. The architecture includes at least 

7 
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one hash engine configured to implement hash round logic. The logic implementation 
includes five hash state registers; one^^ OT^^ and four non-criticaL data paths 
associated with the five registers. In successive SHAl rounds, registers having the 
critical path are alternative. 

5 In another aspect, the invention pertains to a method of authenticating data 

transmitted over a computer network. Tlie method involves receiving a data packet 
stream, splitting the packet data stream into fixed-size data blocks, and processing the 
fixed-size data blocks using a multi-loop, multi-round authentication engine 
architecture having a hash engine core with an inner hash engine and an outer hash 

10 engine. The architecture is configured to pipeline the hash operations of the inner 
hash and outer hash engines, collapse and rearrange multi-round logic to reduce 
rounds of hash operations, and implement multi-round logic to schedule addition 
computations to be conducted in parallel with round operations. The multi-loop, 
multi-round authentication algorithm may be HMAC-MD5 or HMAC-SHAl. 

15 In another aspect, the invention pertains to a method of authenticating data 

transmitted over a computer network. The method involves receiving a data packet 
stream, splitting the packet data stream into fixed-size data blocks, processing the 
fixed-size data blocks using a multi-round authentication engine architecture. The 
architecture implements hash roxmd logic for a multi-round authentication algorithm 

20 configured to schedule addition computations to be conducted in parallel with round 
operations. The multi-round authentication algorithm may be MD5 or SHAl . 

In still another aspect, the invention pertains to a method of authenticating data 
transmitted over a computer network using an SHAl authentication algorithm. The 

8 
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method involves providing five hash state registers, and providing data paths from the 
five state registers such that four of the^v^ data paths fix>m the registers in any SHAl 
round are not timing critical. v^;. ^ , 

These and other features and advantages of the present invention will be 
5 presented in more detail in the following specification of the invention and the 
accompanying figures which illustrate by way of example^ the principles of the ., 
invention. , > 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention will be readily imderstood by the following detailed 
description in conjunction with the accorapanying drawings, wherein like reference 
numerals designate like structural elemcritSj iand in which: 

5 Fig. 1 is a high-level block diagram depicting the HMAC-x algorithm (HMAC 

for either MD5 or SHAl) implemented m the IPSec standard protocol. 

Fig. 2 is a high-level block diagram of an authentication engine architecture in 
accordance with one embodiment the present invention. 

Fig. 3 is a time study diagram illustrating the critical path of the conventional 
10 round logic of the SHAl authentication algorithm. 

Fig. 4 is a time study diagram illustrating the critical path of the round logic of 
the SHAl authentication algorithm in accordance with one embodiment the present 
invention. 

Fig. 5 is a high-level block diagram of an SHAl hash engine illustrating the 
15 major elements of a round logic design in accordance with one embodiment the 
present invention. 

Fig. 6 is a Ibwer-level block diagram illustrating details of the scheduling of 
the iadditions within the round logic design of Fig. 5. 
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DETAH FT ) DESCRIPTION OF EMBODIMENTS OF THE IhA/ENTION 

Reference will now be made in detail to some; specific- embodiments of the 
invention including the best modes contemplated >y the inventors for carrying out the 
invention. Examples of these specific embodiments are illustrated in the 
5 accompanying drawings. While the invention is described in conjunction with these 
specific embodiments, it will be imderstood that it is not intended to limit the 
invention to the described embodiments. On the contrary, it is intended to cover 
alternatives, modifications, and equivalents as may be included within the spirit and 
scope of the invention as defined by the appended- claims. In the following 
10 description, numerous, specific details are set forth in order to provide a thorough 
understanding of the present invention. The present invention may be practiced 
without some or all of these specific details. In other instances, well known process 
operations have hot been described in detail in order not to unnecessarily obscure the 
present invention. " ^ ' 

15 In general, the present invention provides an architecture (hardware 

ifnpieihentatioh) for an authentication eiigiiie to increase the speed at which multi- 
loop>;arid/or multi-round authentication algorithms may be performed on data packets 
transmitted over a computer network. Authentication engines in accordance with the 
present invention apply a variety of techniques that may include, in various 

20 applications, collapsing two multi-round authentication algorithm (e.g., SHAl or 

MD5 or variants) processing rounds into one; reducing operational overhead by 

scheduling the additions required by a multi-round authentication algorithm (e.g., 

SHAl or variants) in such a manner as to reduce the overall critical timing path 

("hiding the adds'O; and, for an HMAC (multi loop) variant of a multi-round 

11 
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authentication algorithm, pipelining the inner and outer loops. Among other 
advantages, an authentication engine in accordance with the present invention 
provides improved performance with regard to the processing of short data packets. 

In this specification and the appended claims, the singular forms "a," "an," and 
5 *the" include plural reference unless the context clearly dictates otherwise. Unless 
defined otherwise, all technical and scientific terms used herein have the same 
meaning as commonly understood to one of ordinary skill in the art to which this 
invention belongs. 

The present invention may be implemented in a variety of ways. As described 
10 in this application, the invention has particular application to the variants of the SHAl 
and MD5 authentication algorithms specified by the IPSec cryptography standard. In 
the following description, the invention is discussed primarily in connection with the 
ffSec protocol. However, one of skill in the art will recognize that yarious aspects of 
the invention may also be applied to multi-loop and/or multi-round authentication 
15 algorithms generally, whether or not used with BPSec or in conjimction with 
cryptography operations at all. Further, while the aspects of the present invention 
described below are used together in a preferred embodiment of tiie invention, some 
aspects may be used independently to accelerate authentication operations. For 
example, the pipelining operations are particularly applicable to multi-loop, multi- 
20 round authentication algorithms; the roimd-coUapsing operations are particularly 
applicable to SHAl and variant authentication algorithms; while the scheduling of the 
additions may be applied to any multi-round authentication algorithm. 

Pipelining Inner and Outer Hash Operations 

12 
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Fig. 2 is a high-level block diagram of an authentication engine architecture in 
accordance with one embodiment the present invention. The engine architecture 
implements a pipelined structure to hide the tiiiie required for perfomiing the outer 
hash operation when multiple data payloads are fed to the engine continuously. The 
5 engine architecture includes a core having two instantiations of the hash round logic; 
in this instance, inner and outer hash engines (inner and outer loops) for each of the 
MD5 hash round logic and the SHAl hash round logic supported by the IPSec 
protocol. Pipeline control logic ensures that the outer hash operation for one data 
payload is performed in parallel with the inner hash operation of the next data payload 
10 ' in the packet stream fed to the authentication engine. A diial-frame input buffer is 
used for the inner hash engine, allowing one new 512-bit block to be loaded while 
aiibther one is being processed, and the ihitial hash states are double buffered for 
condunrenf inner hash and outer hash operaWoris. In addition, dual-ported ROM is 
used for coriciirrent constant lookups by haOi iiiher and outer hash engines." 



15 Refeiring to Fig. 2, the engine 200 includes a dual-frame input data payload 

buffer 201, in this instance having left fram^ 202, and a right frame 204. Input data 
payloads received by the engine 200. for example fi«m data packets received off a 
network by a chip oi| which the engine architecture is implemented, are distributed 
between the frames 202. 204 of the input data buffer 201 so that one data block may 

20 be loaded into the buffer while another one is being processed downstream in the data 
flow. Since Fig. 2 illustrates an implementation of the present invention for 
processing IPSec packets, the architecture includes hash engines for the MD5 and 
SHAl authentication protocols supported by IPSec. In accordance with the MD5 and 
SHAl protocols, the input data payloads are loaded into the dual frames of the input 
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data buffer 201 , split into 51 2-bit data blocks, padded if necessary (i.e., where the data 
block is less than 512 bits) and stored prior to being passed to an inner hash engine for 
processing. A multiplexer 206 controls the flow of 512-bit data blocks from the 
frames of the input buffer to an inner hash engine. 

5 Initial hash states are needed on per packet basis for the first data block of each 

packet. Initial hash states, are generated by software based on the authentication key 
and some default constant states based on the HMAC algorithm (pre-hashed), in 
accordance the specifications for these algorithms. This is typically done once per 
key. Alternatively, the initial states may be derived from the default constant states 

10 and the authentication key using the same hardware for every packet that requires 
authentication. 

The initial hash states for the inner hash of a given data block are loaded into a 
buffer 214 associated with the inner hash engine(s) 210, 212. The initial hash states 
for the outer hash of that data block are loaded into the first 215 of a pair of buffers 
15 215, 216 (referred to as an-lMAC staie buffer associated wi& the outer hash 
engine(s) 220, 222. When the initial hash states are passed to the iiiner hash engine 
for processing of the data block, the outer hash states for that block are loaded ^nto the 
'■ second buffer 216, and the inner and outer initial hash st2tes for the next packet to be 
processed aie loaded into the buffers 214, 215, respectively. In this way, the 
20 synchronization of the inner and outer hash states for a given data block is maintained, 
and the initial hash states are available for Concurrent inner hash and outer hash 
operations. Further, the double buffering of the hash states allows initial hash states 
of the second packet to be loaded while the first packet is being processed so that the 

14 
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data processing is continuous from packet to packet, thereby maximizing the 
efficiency and processing power of the hash engine. - - 

The engine 200, further includes a dual-ported ROM 218. The dual-ported 
ROM 218 further facilitates the parallel inner and outer has operations by allowing for 
5 concurrent constant lookups by both inner and outer hash engines. 

The inner hash is conducted on all 512 bit blocks of a given data packet. The 
result of inner hash is 128 bits long for MD5 and 160 bits long for SHAl. The result 
is padded up to 512 bits and the outer hash processes the one 512-bit block of data to 
compute a digest based on the result of the inner hash. An output buffer 230 stores 
10 the digest and outputs it through a multiplexer 232. 

Collapsing Multi-Round Authentication Algorithm Processing Rounds 

Of the two algorithms supported by the IPSEc protocol, HMAC-SHAl-96 is 
about twenty-five percent slower than HMACrMD5-96 in terms of the total 
computation rounds. One way to mpg>ye HMACrSHAl-96 in an JDPSec-supporting . 

15 hardware implementation is to collapse multiple rounds of logic into single clock 
cycle thus the total number of clocks required for HMAC-SHAl-96 operation is 
reduced. The same approach niay be applied to any multi-round authentication 
algorithm. However^ simply collapsing the logic for multiple rounds into a single 
clock cycle can cause the delay to compute the collapsed logic to increase, therefore 

20 reducing the maximum clock frequency. 

Fig, 3 is a time study diagram illustrating the timing critical path of the 

conventional round logic of the SHAl authentication algorithm. Registers a, b, c, d 

and e hold the intamediate hash states between rounds. They are duplicated in this 

15 
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figure to demonstrate the ending points of the logic paths clearly. In the actual design, 
the paths are fed back to the sarne set of registers because the round logic is reused 80 
times. The symbols identi^ standard, adders implemented as carry look-ahead 
adders (CLAs). Wj represent? the incoming payload. Ki represents a constant, 
5 . obtained from ROM used in the authentication computations. It is shown in the figure 
that the timing critical paths are from registers b, c and d, going through the non-linear 
fimction (defined by the SHAl specification) and the adders and ending at register a. 
Registers b, c, d and e each receives a non-critical input (b receives a, etc.). 

Fig. 4 is a time study diagram illustrating the timing critical path of the 
10 collapsed round logic of the SHAl authentication algorithm in accordance with one 
embodiment the present invention. The SHAl algorithm specifies five registers. As 
illustrated above, the data path of four of the five registers in any SHAl round are not 
critical (time limiting). In accordance with this invention, in successive SHAl roimds 
the registers having the critical path are alternative so that four registers worth of data 
15 may always be passed on to the next round prior to completion of the critical path in 
the current round. Thus, when two rounds of SHAl are put together, the critical path 
computation of the second round is independent of that of the first round, since the 
receiving register of the critical patli of the first round (i.e-^ register a) is not the 
driving register of the critical path of the second round (i.e., register e). This approach 
20 demonstrates how two SHAl rounds may be collapsed together while maintaining the 
same amount of delay for the timing critical path, and how by alternating ths critical 
path from register to register between rounds in this way, the adding operations may 
be"liidden." 

16 
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In a preferred embodiment, the eighty rounds of an SHAl loop are collapsed 
into forty roimds. As described and illustrated abovfe^ the collapsing of roxmds is 
accomplished by having a single set of registers (the preferred embodiment has 5 
registers as defined by the IPSec prtitocol)-' with two rounds of logic. It is 
5 contemplated that the techniques of invehtiori described herein can also be applied to 
further coU^se the number of SHAl rounds in an SHAl loop into twenty or even 
fewer rounds. 

Scheduling the Additions 

As described above, both MD5 and SHAl algorithms specify that the final 
10 hash states of every 512-bit block to be added together with the initial hash states. 
The results are then used as the initial states of the next 512-bit block. In MD5, 
values of four pairs of 32-bit registers need to be added and in SHAl, five pairs. 
Considering that each 32-bit addition takes one clock cycle, a typical hardware 
implementation would use four extra cycles in MD5 and five extra cycles in SHAl to 
15 perform these additions if hardware resources are limited. 

As noted/above with reference to Figs. 3 and 4, in both MD5 and SHAl, only 
one state register is reKiomputed every round. The rest of the state registers use 
shifted or non-shifted contents from neighboring registers, - Thus, the final hash states 
are not generated in the final round, but rather in the last four consecutive MD5 
20 rounds, or five SHAl rounds, respectively. The present invention exploits this 
observation by providing architecture and logic enabling the scheduling of the 
additions as early as the final hash state is available, hiding the computation time 
completely behind the round operations. This is illustrated in the following 

17 
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scheduling tables in which 'Ti' represents one clock cycle and *md i' represents round 
operation. The initial hash states are represented by ia, ib, ic, id and ie. Parallel 
operations are listed in the same colvunn. 



MD5 



T1 


T2 


T3 




T61 


T62 


T63 


T64 


T1 


rod 1 


rnd 2 


rnd 3 




rnd 
61 


rnd 
62 


rnd 
63 


rnd 
64 


rnd 1 












a+ia 


d+td 


c+ic 


b+ib 






original SHA1 








T1 


T2 


T3 




T77 


T78 


T79 


T80 


T1 


rnd 1 


rnd 2 


rnd 3 




rna 
77 


rnd 
78 


rnd 
79 


rnd 
80 


rnd 1 










e+ie 


d+id 


c+ic 


b+ib 


a+ia 








collapsed SHA1 








T1 


T2 


T3 




T38 


T39, 


T40 


T1 


rnd 1 


rnd 2 


rnd 3 




rnd 
38 


rnd 
39 


rnd 
40 


rnd 1 














d+id . 
c+ic 


b+ib 
a+ia 



In one embodiment of the invention, a plurality of adds with the final hash 
states may be accomplished in a single clock cycle. An example is shown in the 
'Wlapsed SHAl" table, in which the five adds are performed in just three clock 
cycles T39, T40 and Tl of the next loop. One of skill in the art will recognize that, 
10 consistent with the principles of this invention described herein, it is possible to 
perform more than two adds in parallel in one clock cycle. Moreover, it should be 
noted that, as illustrated in the tables, this aspect of the present invention is applicable 
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to both collapsed and non-collapsed multi-round authentication algorithms. 
Lnplementatiori of this aspect of the present invention iri conjunction with a collapsed 
multi-round algorithm is particularly advantageous since hiding of adding steps 
becomes increasingly important as the number of roimds is decreased. Adds that are 
5 not hidden in the manner of this aspect of the present invention would represent an 
even larger proportion of overhead in a collapsed round implementation than in an 
implementation with a higher number of rounds. 

. _ Logic Design * -.^^r. ^ 

Fig. 5 is a high-level block diagram of an SHAl hash engine illustrating the 
10 major elements of a collapsed round logic design in accordance with one embodiment 
the present invention consistent with the timing critical path study of Fig. 4. The 
design makes use of carry save addera (CSA; delay is equivalent to 1-bit adder), 
taking advantage of their capacity to add multiple quantities together. CSAs 
efficiently add multiple quantities together to generate partial products which are not 
15 propagated. Two comprehensive addition modules, addStol and add4tol in the figure 
each uses several stages of CSA foUowed-by a carry look-ahead (CLA) adder, as 
illustrated and described in more detail with, reference to Fig. 6, below. 

The hash engine has five registers. A, B, C, D and E. The initial hash, state in 
register A (ai) goes through a 5-bit circular shift and is added to the initial hash state 
20 in register E (eO, the payload data (Wj), a constant (Kj), and the result of a function 
(Ft) of the initial hash states in registers B, G and D by an addStol adder module that 
is built by CSA and CLA adders. The initial hash state in register D (di) is added to 
the payload data (W,+i), a constant (Kj+i), and the result of a function (Fi) of the initial 
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hash states in registers A, B (which passes through a 30-bit circular shift) and C by an 
add4tol adder module that is built by CSA and CLA adders. 

The adder modules conclude with a carry look-ahead (CLA) adder. The sum 
of each adder module is added by a CLA adder to generate and propagate a final siun 
5 for the round which is then fed back intd register, A for the next roimd. The most 
timing critical input of these two modules needs only to go through the last CLA 
stage. 

Fig. 6 is a lower-level block diagram illustrating details of the scheduling of 
the additions within the round logic design of Fig. 5. Unrolling two rounds of SHAl 
10 operation will lead to a speed path of: 

S = ((a«<5) + f(b, c, d)+ e -H w + k)«<5+ f(b, c, d) ^- e + w i- k, 

where, a, b, c, d, e, w and k are 32-bit quantities. In accordance with the embodiment 
of the present invention depicted in Fig. 5, the operation is done in two steps. Step 1 
uses module addStol to generate: 

15 . Si = (a«<5) + f(b,c,d)+ e + w + k. , : 

Step 2 uses module add4tol and a 32-bit carry look-ahead adder (CLA) to generate: 

S = Si<«5+ f(b, c, d) + e + w + k. 

In each step, carry save adders (CSA) are used to perform 3-2 input reduction before 
the 32-bit CLA is applied. The overall delay is equivalent to two 32-bit CLA delays 
20 plus one 32-bit CSA delay plus the delay for function *f for the most timing critical 
path. After all the reductions are completed via CSAs, Step 1 and Step 2 become: 

20 
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S = (A+B)«<5+C+D. 

Implementations of the invention using this logic design in an authentication 
engine using the HMAC-SHAl algorithm of the -^IPSec protocol, collapsing of the 
conventional 80 SHAl rounds into 40^rdunds, hiding the adds, and pipelining the 
5 inner and outer loops have enabled HMAC-SHAl to be conducted in approximately 
the same time as conventional SHAl . :i - 

Conclusion 

Although the foregoing invention has been described in some detail for 
puq)oses of clarity of imderstanding, those skilled in the art will appreciate that 

10 various adaptations and modifications of the just-described preferred embodiments 
can be configured without departing from the scope and spirit of the invention. For 
example, while the present invention has been described primarily in connection with 
the IPSec protocol, the principles of the invention may also be applied to multi-round 
authentication algorithms generally, whether or not used in conjunction with 

15 cryptography operations. Therefore, the described embodiments should be taken as 
illustrative and not restrictive, and the invention should not be limited to the details 
given herein but should be defined by the following claims and their full scope of 
equivalents. 

What is claimed is: 
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1 ^ CLAIMS 

2 1. An authentication engine architecture for an muhi-loop, multi-round 

3 authentication algorithm, comprising: V , i 

4 a first instantiation of a multi-round authentication algorithm hash round logic 

5 in an inner hash engine; 

6 a second instantiation of a multi-round authentication algorithm hash round 

7 logic in an outer hash engine; 

8 a dual-frame payload data input buffer configured for loading one new data 

9 block while another data block one is being processed in the inner hash engine; 

10 an initial hash state input buffer configuration for loading initio hash states to 

1 1 the inner and outer hash engines for concxirrent inner hash and outer hash operations; 

12 and 

13 a dual-ported ROM configured for concurrent constant lookups for both inner 

14 and outer hash engines. 

15 2. The authentication engine architecture of claim 1, wherein the multi-loop, 

1 6 multi-round aiuthenticatipn algorithm is HMAC-MD5 . 

17 3, The authentication engine architecture of claim 1, wherein the multi-loop, 

18 multi-round authentication algorithm is HMAC-SHAl. 

19 4. The authentication engine architecture of claim 1, wherein at least one of the 

20 inner and outer hash engines is configured to implement hash round logic including at 

21 least one addition module comprising: 

22 a plurality of carry save adders for computation of partial products; and 

23 a carry look-ahead adder for computation and propagation of a final sum. 

24 5. The authentication engine of claim 4, wherein the carry save adders and the 

25 ceirry look-ahead adder are configured such that addition computations are conducted 

26 in parallel with round operations. 

27 6. The authentication engine architecture of claim 3, wherein at least one of the 

28 inner and outer hash engines is configured to implement hash round logic comprising: 

29 five hash state registers; 

22 
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30 one critical and four non-critical data paths associated with the five registers, 

31 such that in successive SHAl rounds, registers having the critical path are alternative. 

32 7. The authentication engine architecture of claim . 6, wherein said hash round 

33 logic is implemented such that eighty rounds of an SHAl loop are collapsed into forty 

34 rounds. 

35 8. The authentication engine architecture of claim 3, wherein at least one of the 

36 inner and outer hash engines is configured to implement hash roimd logic comprising: 

37 five hash state registers; 

38 a 5-bit circular shifter, 

39 ah addStol adder module having a pltffality of CS As and a CLA adder; 

40 a 30-bit circular shifter; and 

41 an add4tol adder module having a pluraHty of CS As and a CLA adder. 

42 9. An authentication engine architecture for a multi-round authentication 

43 algorithm, comprising: 

44 a hash engine configured to implerhent hash round lojgic for a ffiulti^round 

45 authentication algorithm, said hash round Ipgic implementation including at least one 

46 addition module comprising, . , , ^ v , 

47 a plurality of carry save adders for computation of partial products, and 

48 ' a carry look-ahead adder for computation and propagation of a final sum. - 

49 10. The authentication engine of claim 9, wherein the carry save adders and the 

50 carry look-ahead adder are bo^figured such that addition computations are conducted 

51 in parallel with roxmd operations. 

52 11. The authentication engine architecture of claim 9, wherein the multi-round 

53 authentication algorithin is MD5. 

54 12. The authentication engine architecture of claim 9, wherein the rfiulti-round 

55 authentication algorithm is SHAl . 

56 13. The authentication engine architecture of claim 12, wherein the hash round 

57 logic implementation comprises: 

23 
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58 five hash State registers; 

59 a 5-bit circular shifter; 

60 an adds to 1 adder module having a pluraUty of CSAs and a CLA adder; 

61 a 30-bit circular shifter; and 

62 an add4tol adder module having a plurality of CSAs and a CLA adder. 

63 14. An authentication engine architecture for an SHAl authentication algorithm, 

64 comprising: 

65 at least one hash engine configured to implement hash round logic comprising: 

66 five hash state registers; 

67 one critical sind four non-critical data paths associated with the five registers, 

68 such that in successive SHAl rounds, registers having the critical path are alternative, 

69 15. The authentication engine architecture of claim 14, wherein said hash round 

70 logic is implemented such that eighty rounds of an SHAl loop are collapsed into forty 

71 rounds. , 

72 16. A method of authenticating data transmitted over a computer netvvnrk, 

73 comprising: > : ; r 

74 receiving a data packet stream; 

75 splitting the packet data stream into fixed^size data blocks; and 

76 processing the fixed-size data blocks . using a multi-loop, multi-round 

77 authentication engine architecture having a hash engine core comprising an inner hash 

78 engine and an outer hash engine, said architecture configured to, 

79 pipeline hash operations of said inner hash and outer hash engines, 

80 collapse and rearrange multi-roimd logic to reduce rounds of hash 

81 operations, and 

82 implement multi-round logic to schedule addition computations to be 

83 conducted in parallel with roxmd operations. 
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84 17. The method of claim 16, wherein said pipelining comprises perfomiance of an 

85 outer hash operation for one data payload in parallel with an inner hash operation of a 

86 second data payload in a packet stream fed to the authentication engine. 

87 18. The method of claim 17, wherein a dual-frame input buffer is used for the 

88 inner hash engine. 

89 19. The method of claim 18, wherein initial hash states for the hash operations are 

90 double buffered for concurrent inner hash and outer hash operations. 

91 20. The method of claim 19, wherein concurrent constant lookups are performed 

92 from a dual-ported ROM by both inner and outer hash engines. 

93 21. The method of claim 16, wherein the multi-loop, multi-round authentication 

94 algorithm is MD5. 

95 22. The method of claim 16, wherem the multi-loop, multi-round authentication 

96 algorithm is SHAl. 

97 23 . The meithbd of claim 22 wherein said scheduling of additions comprises: 

98 conducting a 5-bit circular shift on data from a first register. 

99 . adding an-initial hash state in a second register, a first payload data block, a 

100 first constant, and the result of a fimction (FO of the initial hash states in third, fourth 

101 and fifth additional registers with an addStol adder module having a plurality of CSAs 

102 and a CLA adder; 

103 conducting a 30-bit circular shift on ddta from the third additional register; and 

adding the initiki hash state in the fourth additional register to a second 
payload block, a secortd cbnstant, and the result of a fimction (F.) of the initial hash 
states in the first and fifth registers and the shifted hash state of the third register with 
an add4tol adder inodule having a plurality of CSAs and a CLA adder. 



104 
105 
106 
107 



108 24. The method of claim 22, wherein said collapsing and rearran^g of the multi- 

109 round logic comprises: 

110 providing five hash state registers; and 

111 providing data paths from said five state registers such that four of the five 

1 12 data paths from the registers in any SHAl round are not timing critical. 
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113 25. The method of claim 24, wherein, in successive SHA l rounds, registers having 

114 the critical path are alternative. 

1 15 26. The method of claim 25, wherein eiglity rounds of an SHAl loop are collapsed 

1 16 into forty roimds. 

117 27. A method of authenticating data transmitted over a computer network, 

118 comprising: 

119 receiving a data packet stream; 

120 splitting the packet data stream into fixed-size data blocks; and 

121 processing the fixed-size data blocks using a multi-roimd authentication 

122 engine architecture, said architecture implementing hash round logic for a multi-round 

123 authentication algorithm configured to schedule addition computations to be 

124 conducted in parallel with round operations. 

125 28. The method of claim 27 wherein said hash round logic comprises: 

126 conducting a 5-bit circular shift on data firom a first register; 

127 adding an initial hash state in a second register, a first payload data block, a 

128 first constant, and the result of a function (Ft) of the initial hash states in third, fourth 

129 and fifth additional registers with an addStol adder module having a plurality of CSAs 

1 30 and a CLA adder; 

131 conducting a 30-bit circular shift on data from the third additional register; and 

132 adding the initial hash state in the fourth additional register to a second 

133 payload block, a second constant, and the result of a function (Ft) of the initial hash 

134 states in the fu-st and fifth registers and the shifted hash state of the third register with 

135 an add4tol adder module having a plurality of CSAs and a CLA adder. 

136 29. A method of authenticating data transmitted over a computer network using an 

137 SHAl authentication algorithm, comprising: 

138 providing five hash state registers; and 

139 providing data paths from said five state registers such that four of the five 

140 data paths from the registers in any SHAl round are not timing critical. 
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141 30. The method of claim 29, wherein, in successive SHAl roxmds, registers having 

142 the critical path are alternative. 

143 31. The method of claim 30, wherein eighty roimds of an SHAl loop are collapsed 

144 into forty rounds. 

145 * 



27 



wo 01/80483 



PCT/USOl/40507 



1/6 



initial inner hash state 



initial outer hash state 



i 



data to be processed 



inner hash MD5/ 
SHA1 



I 



inner hash result 



outer has MD5/ 
SHA1 



final result 
(Digest) 



FJG. 1 



DOCID: <WO 0180483A2_I_> 



SUBSTITUTE SHEET (RULE 26) 



wo 01/80483 



PCT/USOl/40507 



2/6 



inner hash left data 



202 



201 



buffer 



input data payload 



inner 



lash right d ata buffer 
204 



200 



214 



initial 
hash 
states 



216 



206 



inner_hash_md5 
210 



portO 



out er hash npdS data b uffeif ROM 
Hmac state buffer 



outer_hash_md5 
220 



inner_hash_sha1 
212 



S 



outer hashTrtdS data buffer 



218 



porti 



outer hash shal 



230 



± ± 



output hash result 



FIG. 2 



SUBSTITUTE SHEET (RULE 26) 



wo 01/80483 



PCT/USOl/40507 



3/6 




SUBSTITUTE SHEET (RULE 26) 

3DCICID: <WO 01B0483A2_L> 



wo 01/80483 



PCTAJSOl/40507 




wo 01/80483 



PCT/USOl/40507 



5/6 




5EXX;iD: "cWO 0180483A2_)_> 



SUBSTITUTE SHEET {RULE 26) 




SUBSTITUTE SHEET (RULE 26) 



0180483A2 I > 



(12) INTERNATIONAL APPUCATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(19) World Intellectual Property Organization 
International Bureau 




iiiffliioiiiiiiiiiiiiiiiiin 



(43) International Publication Date (10) International Publication Number 

25 October 2001 (25.10.2001) pCT WO 01/80483 A3 



(51) International Patent Classification^: H04L 9/32 

(21) International Application Number: PCTAJS0iy40507 

(22) International Filing Date: 1 1 April 2001 (1 1.04.2001) 

(25) Filing Language: English 

(26) Publication Language: English 



(30) Priority Data: 
60/197.152 
60/261.425 
09/827,882 



13 April 2000 (13.04.2000) US 
13 January 2001 (13.01.2001) US 
4 April 2001 (04.04.2001) US 



(71) Applicant (for all designated States except US): BROAD- 
COM CORPORATION [US/US]; 16215 Alton Parkway. 
Irvine, CA 92618-3616 (US). 



(72) Inventors; and 

(75) Inventors/Applicants (for US onfy): BUER, Mark 
[USAJS]; 1027 E. Betsy Lane, Gilbert, A2 85296 (US). 
LAW, Patrick, Y. [USAJS]; 19 Jacklin Circle, Milpiias, 
CA 95035 (US). QI, Zheng [CNAJS]; 13 Jacklin Circle, 
Milpitas. CA 95035 (US). 

(74) Agent: AUSTIN, James, E.; Beyer Weaver & Thomas, 
LLP, RO. Box 778, Berkeley. CA 94704-0778 (US). 

(81) Designated States (national): AE, AG. AL, AM. AT. AU, 
AZ, BA. BB, BG, BR, BY, BZ, CA, CH, CN. CR. CU. CZ. 
DE, DK, DM, DZ, EE,ES. FI, GB, GD. GE. GH, CM, HR, 
HU. ID, IL, IN, IS, JP. KE, KG, KP. KR, KZ. LC, LK, LR, 
LS, LT. LU, LV, MA, MD, MG, MK, MN. MW, MX, MZ, 
NO. NZ, PL, PT, RO, RU, SD. SE, SG, SI, SK. SL TJ, TM, 
TR, TT, TZ, UA, UG, US, UZ, VN, YU, ZA, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW. MZ. SD, SL, SZ, TZ. UG, ZW), Eurasian 

[Continued on next page J 



^= (54) Title: AUTHENnCATION ENGINE ARCHITECTURE AND METHOD 



input data payload 



inner hash left data 



202- 



< 

00 
00 



O 



201 



buffer 









III 



In ner hash rtoht d ata buffer 
204 



\ 



V 



i r 



206 



200 



inrtiaJ 
hash 



C. 



inner_hash_md5 



poftP 



out er hash rj>dS d ata buffer rom 

I I n I I ^ 

mac state bufl)^ 



1. 



inner_hash_sha1 
212 



out er hash Md5 data b uffer 

^ I I 1,1 I I 



216 




(57) Abstract: Provided is an architecture 
(hardware implementation) for an 
authentication engine to increase the speed 
at which multi-loop and/or multi-round 
authentication algorithms may be performed 
on data packets transmitted over a computer 
network. Authentication engines in 
accordance with the present invention apply 
a variety of techniques that may include, 
in various applications, collapsing two 
multi-round authentication algorithm (e.g., 
SHAl or MD5 or variants) processing 
rounds into one; reducing operational 
overhead by scheduling the additions 
required by a multi-round authentication 
algorithm in such a manner as to reduce 
the overall critical timing path ("hiding the 
ads"); and, for a multi-loop (e.g., HMAC) 
variant of a multi-round authentication 
algorithm, pipelining the inner and outer 
loops. In one particular example of 
applying the invention in an authentication 
engine using tiie HMAC-SHAl algorithm 
of the IPSec protocol, collapsing of the 
conventional 80 SHAl rounds into 40 
rounds, hiding the ads, and pipetining tiie 
inner and outer loops allows HMAC-SHAl 
to be conducted in q>proximately the same 
time as conventional SHAl. 



^fsrSOQCIO: <WO 01B04a3A3 I > 



wo 01/80483 A3 lliiililllllllllllllllililllllliliiiiililll 



patent (AM, AZ, BY, KG, KZ, MD, RU, TJ,TM), European (88) Date of publication of the international search report: 

patent (AT, BE, CH, CY, DE, DK, ES, FI. FR, GB, GR, IE, 4 April 2002 

IT, LU, MC, NL, PX SE, TR), OAPI patent (BF, BJ, CF, 

CO, CI» CM. GA, GN, GW, ML, MR, NE, SN, TD, TG). ^ ^ 

For two-letter codes and other abbreviations, refer to the "Guid- 

Published: ^ ance Notes on Codes and Abbreviations" appearing at the begin- 

— with international search report ning of each regular issue of the PCT Gazette. 



t<innr;irv <wo 01B0483A3 I > 



INTERNATIONAL SEARCH REPORT 



Int*- Clonal Application No 

.RLi/US 01/40507 



A. CLASSIRCAT10N OF SUBJECT tAATTER 

IPC 7 HQ4L9/32 



According lo iniemattonal Patent CtassiCicalton (IPC) or lo t>om naltonal ctassriicalton arid IPC 



a. FIELDS SEARCHED 



Minimum documeniaiion searcned (dassitcation system toUovAfed by dassilication symbob) 

IPC 7 H04L 



Documentation searched olher than mirumum documentation lo the eiaeni that such documents are included in Ihe lields searched 



Electronic data base consulted dunng the iniemationai search (name of daia base and. where practical, search terms used) 

WPI Data, PAJ, EPO-Internal . INSPEC 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category " Citation ol document, wdh mdication. where appropnate. ol Ihe relevant passages 



Relevant to daim No. 



SCHNEIER B: "APPLIED CRYPTOGRAPHY, SECOND 
EDITION" 

1996 , JOHN WILEY & SONS . NEW YORK US 
XP002184521 

cited 1n the application 



page 436, paragraph 18.5 -page 440 
page 442, paragraph 18.7 -page 444 



14,29,30 



1-3.6.9, 

11.12. 

16.21, 

22,24, 

25,29 



-/-- 



Further documents are listed in the continuation ol box C. 



□ 



Patent family members are listed in annex. 



* Speaal categories of cdcd documents : 

*A* document defining the general state of Ihe an which is noi 

considered lo be ot panicular relevance 
'E* eartier document but published on or after the international 

lilii^ date 

*L' document which may Ihrow doubts on priority claim(s) or 
which ts cued to esiabtisli the publication date ol arK}ther 
citation or olher speaal reason (as specified) 

'O* document referring to an oral disctosure. use. exhibition or 
other mearis 

*P* document publrshed pnor to the international tiling date but 
laierihan the pnoniy date claimed 



*T" later document published aher the in!err\ational lUing dale 
or priority date and not in conflict with the applicalion but 
died to understand the principle or t theory underlying the 
invention 

*X* document of particutar relevaiKe: Ihe claimed invenibn 
cannot be considered novel or cannot be considered to 
involve an inventftfe step when the document is taken alone 

'Y* document of particular relevance: the dainoed invention 

cannot be considered to involve an inventive step when the 
document is combined with one or more ottier such docu- 
ments, such combination being obvious lo a person sidled 
in the an. 

*&' document member of the same patent family 



Dale ot Ihe actual completion ot the international search 



3 December 2001 



Dale ot mailing of the intemational search report 



20/12/2001 



Name and mailing address ol the ISA 

European Patent Oflice. P.B. 5618 Paientlaan 2 
NL - 2280 HV Rqswiik 
Tel (+31-70) 340-2040. Tx. 31 651 epo nl. 
Fax: (+31-70) 340-3016 



Authorized officer 



Masche, C 



fotm PCT.'ISA/210 tsecond sneei) t-hrf/ 1S«2) 



page 1 of 2 



INTERNA I lONAL SEARCH REPORT 



Int'' Nonal Application No 

PL I /US 01/40507 



C.(ConUnuatlon) DOCUMENTS CONSIDERED TO BE RELEVANT 



Category " Citaiion ot documeni. with indicalion.where appropnaie. ot Ihe relevani passages 



Reldvani to ctaim No. 



TOUCH J D: "PERFORMANCE ANALYSIS OF HD5" 
COMPUTER COMMUNICATIONS REVIEW. 
ASSOCIATION FOR COMPUTING MACHINERY. NEW 
YORK, US. 
vol . 25, no. 4, 

1 October 1995 (1995-10-01), pages 77-86, 
XP000541653 
ISSN: 0146-4833 
figures 2,7-10 
page 84, right-hand column, line 11 - line 
21 

page 84. left-hand column, line 12 
page 83, left-hand column, line 15 
-right-hand column, line 7 
abstract 



BELLARE M: "MESSAGE AUTHENTICATION USING 

HASH FUNCTIONS - THE HMAC CONSTRUCTION" 

RSA LABORATORIES' CRYPTOBYTES. 

vol. 2, no. 1, 1996, pages 1-5, 

XP002184520 

abstract 

page 2, left-hand column, line 17 
-right-hand column, line 31 

STALLINGS W: "SHA: THE SECURE HASH 
ALGORITHM PUTTING MESSAGE DIGESTS TO WORK" 
DR. DOBBS JOURNAL, REDWOOD CITY, CA, US, 

1 April 1994 (1994-04-01), page 32,34 
XP000570561 
the whole document 



27 



I. 2,5,8, 
9,11,13, 
16,21. 
23,28 

1-3,9, 

II. 12. 
14,16, 
21,22.29 



1,3,6,9, 
12,14. 
16,22, 
27,29 



Form PCT/ISA/210 {coniinuaiion o1 second sheet) (July 1992) 
:DCX:ID: <WOj 01B0483A3„I_> 



page 2 of 2 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the appUcant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SffiES 
□^ADED TEXT OR DRAWING 

□ BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□^NES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



This Page Blank (usplo) 



t 



